Error 400: resourceInUseByAnotherResource

[elouanKeryell-Even]

Terraform Version

$ terraform -v
Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/google v3.62.0
+ provider registry.terraform.io/hashicorp/google-beta v3.62.0
+ provider registry.terraform.io/hashicorp/tls v3.1.0

Affected Resource(s)

• google_compute_url_map

Terraform Configuration Files

I define a google_compute_url_map, which depends on a backend_service provided by module GoogleCloudPlatform/lb-http/google:

module "generated_cloud_loadbalancer" {
  source            = "GoogleCloudPlatform/lb-http/google"
  version           = "4.3.0"
  name              = var.network_name
  project           = var.project
  create_address    = false
  create_url_map    = false
  http_forward      = false
  target_tags       = []
  security_policy   = google_compute_security_policy.policy.self_link
  backends          = {
    "redacted" = {

      description                     = null
      protocol                        = v.protocol.id
      port                            = v.protocol.port
      port_name                       = v.protocol.port_name
      timeout_sec                     = null
      connection_draining_timeout_sec = null
      enable_cdn                      = false
      session_affinity                = null
      affinity_cookie_ttl_sec         = null
      custom_request_headers          = null
  //    security_policy                 = google_compute_security_policy.policy.self_link
      health_check                    = null

      log_config = {
        enable      = true
        sample_rate = 1.0
      }

      iap_config =  {
        enable                        = false
        oauth2_client_id              = null
        oauth2_client_secret          = null
      }

      groups = [ {
        group                        = v.neg_id
        balancing_mode               = null
        capacity_scaler              = null
        description                  = null
        max_connections              = null
        max_connections_per_instance = null
        max_connections_per_endpoint = null
        max_rate                     = null
        max_rate_per_instance        = null
        max_rate_per_endpoint        = null
        max_utilization              = null
      }]
    }
  }
  firewall_networks = []
}

resource "google_compute_url_map" "default" {
  name                = var.network_name
  default_service     = module.generated_cloud_loadbalancer.backend_services[local.default_backend_name].self_link
  project             = var.project
  host_rule {
    hosts        = ["*"]
    path_matcher = "allpaths"
  }

  path_matcher {
    name            = "allpaths"
    default_service = module.generated_cloud_loadbalancer.backend_services[local.default_backend_name].self_link

    dynamic "path_rule" {
      for_each      = {for k, v in module.cloud_run_negs.cloud_run_instances_with_neg_id : k => v if k != local.default_backend_name}
      content {
        service     = module.generated_cloud_loadbalancer.backend_services[path_rule.key].self_link
        paths       = path_rule.value.context_paths
      }
    }
  }
  depends_on        = [module.generated_cloud_loadbalancer]

}

Debug Output

• terraform plan: https://gist.github.com/elouanKeryell-Even/a9b7878b8959ab58921bdc1b1456da20
• terraform apply: https://gist.github.com/elouanKeryell-Even/5f51462dc8a6c48dad80a9f4b7463a58

Panic Output

N/A

Expected Behavior

When I change the name of the backend_services (i.e. module variable var.backend), this is what I expect to happen:

• terraform creates new backend_service with new name
• terraform updates url_map to point to new backend_service
• terraform destroys old backend_service

Actual Behavior

This is what actually happens:

• terraform starts by destroying old backend_service --> fails because url_map is linked to it:

module.external-https-loadbalancer.module.generated_cloud_loadbalancer.google_compute_backend_service.default["redacted-bck"]: Destroying... [id=projects/redacted/global/backendServices/redacted-lb-backend-redacted-bck]

. . .
. . .
. . .

Error: Error when reading or editing BackendService: googleapi: Error 400: The backend_service resource 'projects/redacted/global/backendServices/redacted-lb-backend-redacted-bck' is already being used by 'projects/redacted/global/urlMaps/redacted-lb', resourceInUseByAnotherResource

Steps to Reproduce

1. Write a terraform conf file which instanciates module GoogleCloudPlatform/lb-http/google and declares an url_map linked to the backend_service generated by the module
2. Apply: terraform apply
3. Now in the conf file change the name of the backend variable of the module
4. Apply change: terraform apply

Important Factoids

N/A

References

• Dependencies are not taken into account for google_compute_url_map during deletions hashicorp/terraform-provider-google#8284
• resourceInUseByAnotherResource when deleting health check and autohealing from instance group manager hashicorp/terraform-provider-google#1883
• Error 400: The instance_template resource 'X' is already being used by 'Y', resourceInUseByAnotherResource hashicorp/terraform-provider-google#6277
• GKE Ingress SslCertificate Resource In Use By Another Resource (create_before_destroy = true) hashicorp/terraform-provider-google#8160

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[steffen74]

I just had the same issue.
Te same also happens, for example, when changing the url_mask in the cloud run section of the resource "google_compute_region_network_endpoint_group".

[sreenivas-ps]

i'm having the same issue, is there any update on this?

[bholbrook73]

I'm running into this issue changing the domains for the SSL.

I've changed the domain from dev.section.domain.com to dev-section.domain.com. I'm expecting the SSL to be detached, deleted, recreated, and then attached again. What I get is:

Error: Error when reading or editing ManagedSslCertificate: googleapi: Error 400: The ssl_certificate resource 'projects/PROJECT_ID/global/sslCertificates/appname-load-balancer-cert' is already being used by 'projects/PROJECT_ID/global/targetHttpsProxies/appname-load-balancer-https-proxy', resourceInUseByAnotherResource

[nburns]

Still having this issue

[dmanci]

(First off, thanks for everyone's hard work on this project, it's very useful.)

I'm having a related issue attempting to remove network endpoint groups. I've got Terraform that looks something like this:

google_compute_region_network_endpoint_group "neg" {
  for_each = toset(var.regions)
  ...
}

...

module "lb-http" {
  ...
  backends = {
    groups = [
      for neg_id in var.neg_ids :
      {
        group = neg_id
      }
    ]
  }
}

In attempting to remove 2/3 regions, Terraform tries to destroy the NEGs and then update the lb-http backends list. This results in a similar 400 error "The network_endpoint_group resource is already being used by , resourceInUseByAnotherResource.

[sadminriley]

@elouanKeryell-Even @dmanci Did you guys ever find a workaround for this?

[dmanci]

@elouanKeryell-Even @dmanci Did you guys ever find a workaround for this?

@sadminriley Our "workaround" was easy because we weren't live in production yet... destroy the load balancer, change the negs, and recreate it. 😄 Otherwise, no we haven't discovered a way to do it without downtime.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days